Nectar began rewarding shoppers in 2002, and now around 20 million members collect and spend points at a variety of high-street and online retailers. In February this year, Nectar was bought by supermarket chain Sainsbury’s, which now also owns catalogue chain Argos.

In the fraud, Nectar points are redeemed – often in high street stores – to buy goods. The first victims know is when they try to spend their Nectar balance and find instead that their account is empty. So prolific are the fraudsters that, in some cases, victims have even found they‘be been left with a negative balance.

There are some patterns to the fraud:

Victims are adamant that their physical Nectar card – which is required to redeem points for goods in store – hasn’t been stolen, mislaid or even in the same town as where the points were redeemed

Argos appears to be a hot-spot for fraudsters redeeming Nectar points

How does Nectar card fraud work?

That is the million Nectar point question. On the surface, this is very straightforward:

In order for Nectar points to be redeemed in-store, a card bearing the customer’s name must be produced (as per Argos T&Cs)

Yet, victims report that their cards haven’t been lost stolen at the time of the fraud – some were even in different countries

So, a natural conclusion would be that the fraud involves card cloning, whereby fake copies of victims’ cards are being made by fraudsters which are then used in-store.

Whatever Nectar knows about the fraud, however, it remains tight-lipped. Its typical response is:

We take security extremely seriously at Nectar and have an active programme of monitoring and remediation.

We ask people to treat their Nectar cards like they do their bank cards, in that if they notice suspicious activity or if it goes missing, we ask that they report it, so that we can block their accounts, protect their points and conduct a thorough probe.

We encourage customers to help minimise exposure to suspicious activity by embracing good cyber hygiene such as using complex passwords for online accounts and changing these on a regular basis.

We have rigorous processes and procedures in place to constantly monitor for fraudulent activity and we regularly invest in new technologies to protect our customers’ accounts.

Two things occur to me here:

Nectar suggests we exercise “good cyber hygiene”. While that’s always sound advice, reading between the lines here it suggests that Nectar is concerned that its online accounts are part of the fraud. This could be how criminals are able to identify Nectar accounts with large balances.

Nectar also asks members to treat Nectar cards like bank cards. This makes me angry, as Nectar clearly isn’t meeting its side of the bargain: once Nectar implements chip and PIN, multi-factor authentication and more robust fraud detection on its own systems, only then does it have the right to talk about bank-like security.

How to keep your Nectar points safe

Nectar card fraud is a real cause for concern for its members, but Nectar’s security is not – in my opinion – doing a good enough job of preventing it. As we don’t know for sure exactly how it’s happening, it’s difficult to give specific advice, but here’s what I do recommend:

Regularly login to your Nectar account online to check your balance for any unrecognised transactions; immediately flag up to Nectar if anything doesn’t look right

Check your Nectar password is different to any you use for your other online accounts; I recommend using a password manager app to generate unique passwords and keep them safe

Watchdog airs on Wednesday nights, BBC One at 8pm and is available on-demand from BBC iPlayer.

On BBC Watchdog tonight I appear in an item highlighting gaping holes in home food delivery service Deliveroo’s security and fraud prevention systems.

Victims of so-called ‘Deliveroo fraud’ report having their credit and debit cards emptied of many hundreds of pounds on food and drink orders they never placed, to addresses many hundreds of miles from where they live.

Deliveroo’s standard response to claims of a security breach has left those affected with a bitter taste in their mouths, suggesting victims look to their own security failings instead.

The first a victim knows of the fraud is when they receive an email from Deliveroo confirming an order has been placed.

Deliveroo insists that its own systems have not been the subject of a hack or data breach; instead, the firm advises that customers should not reuse passwords and usernames across multiple online accounts.

Sound advice on its own, but a critical mass of Deliveroo victims all suffering the same fraud might suggest that Deliveroo should look again at its own security measures.

Regardless of how fraudsters are accessing Deliveroo customers’ accounts, there are further security issues that should be addressed as a matter of urgency:

Smart fraud prevention mechanisms, if present at all, appear to be ineffectual here. Purchases that are so out of character – such as those highlighted in the show – should easily be picked up by automated systems and subjected to additional verification.

Similarly, a change of delivery address should also trigger additional verification – a PIN sent to the account holder’s smartphone, for example.

Deliveroo chooses not to authenticate customer card payments with a CVV2 code.
The Card Verification Value is one of the names given for the additional security numbers printed on the signature strip or front of the card. Deliveroo is far from the only retailer to forego ‘card not present’ security – Amazon, with its 1-click purchase, is another. However, this lack of verification allows fraudsters to place orders on credit cards that are not theirs with no challenge at all.

Deliveroo’s light touch on security can be put down to one thing: sales. Here’s how skimping on security benefits Deliveroo’s bottom line:

When we buy something, the more hoops we have to jump through to make that purchase, the more likely we’ll drop out and go somewhere else.

Understandably Deliveroo wants to make placing an order with them as simple a process as possible by cutting out as many hoops as it can.

However, some of those hoops are there for reasons of security; in removing those, Deliveroo is not only making it easier for its customers to place an order, it’s making it easier for them to be defrauded.

With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.

I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack

Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.

The Man in the Middle

My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.

I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.

plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker

I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.

Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.

‘Hacktop’ Tech

There’s nothing here that’s difficult to get hold of:

Sony Vaio laptop

External USB antenna

Kali Linux operating system

Tools including Wireshark, sslstrip, ettercap, driftnet

I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.

Stay Safe on Public Wi-Fi Hotspots

So there’s the scare story. But what can you do stay safe when on public WiFi?

For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.

A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.

If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.

How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.

My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.

A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:

On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.

In researching the story I’ve been indebted to generous input from Jim Browning and Troy Hunt, both of whom are very experienced at calling out PC support scammers – do check out their work.

Plenty more to come from Watchdog Wednesdays including a revelatory film on public Wi-Fi hotspot safety – keep an eye out over on BBC Three.

“Hello, this is Mark, I’m calling from the Windows Technical Department. We have identified a problem with your computer…”

Have you ever received a phone call that begins like this? I have, too many times to count. The so-called ‘Microsoft Tech Support Scam’ is almost as old as the internet itself but, like a nasty virus, it refuses to go away. I’ve just filmed an investigation for the new series of BBC Watchdog to highlight the how the scam works and catch the fraudsters red-handed.

Tech Support Scam in Action (image: BBC)

Despite being plagued by these calls, I am fortunate; I know that they are almost certainly from scammers intent on stealing my money, personal details or identity. However, thousands of people do fall victim to this fraud every year with many hundreds of thousands of pounds reported stolen in the UK alone.

According to the National Fraud Intelligence Bureau (NFIB) the average victim of ‘Computer Software Service Fraud’ will be 59 years old and £210 worse off as a result of the crime, although some report losses of up to £6,000. As with many nuisance calls these criminals work on volume, and for every one hundred calls they make, if only one is successful then it will have been worthwhile.

In the past legal action against the perpetrators has proved difficult (although there have been some successes) but by showing Watchdog viewers what to look out for we hoped to raise awareness and reduce the number of victims.

We decided the best way to do this was to capture the scam in action for the cameras — a first for UK television, we think, and no mean feat given how difficult it is to track down the fraudsters. What happened next was quite intense…

Listen and share! Watchdog reveals the scare tactics scammers use to pressure us into handing over our card details.